Windows The event log view command usually has 2 Kind of ：Get-WinEvent and Get-EventLog, So what is the difference between the two ？ What is the application scenario ？

One 、 Differences and connections

Connection means that both can be handled Windows The event log , And any command used during local execution will not affect the output results , Here we mainly discuss the differences ：

1. Get-EventLog Limited to the so-called “ Traditional event log ”, namely ：

Application

Security

System

HardwareEvents

Internet Explore

Key Management Service

Windows PowerShell;

and Get-WinEvent You can query hundreds of logs , This includes more detailed “Applications and Services Logs”.Get-WinEvent It's from Windows Vista Just started to introduce , Than Get-EventLog A lot later ;

You can see from the following command ,Get-EventLog You can see 7 Log files ; and Get-WinEvent You can look at 406 Log files .

2. Get-EventLog Can only handle Online journal , Can't handle archived（offline） journal , You will be prompted that you cannot access ; and Get-WinEvent No problem , namely ：Get-WinEvent Support both .evt/.evtx, And support etl Format log ;

3. Get-EventLog When working on the local computer , There may be no problem , But when connecting across the network （ That is, when the event logs of multiple machines are remotely managed in batches ）, Efficiency will be greatly reduced , However Get-WinEvent The efficiency will be much higher .

4. When the query statement contains Date when ,Get-WinEvent The efficiency will be greatly reduced , therefore , It is suggested that priority be given to Get-Eventlog.

Two 、 Comparison of execution efficiency

Here I simply write the following PowerShell Script , For testing Get-EventLog and Get-WinEvent Execution efficiency under screening conditions .

#########Get-EventLog and Get-WinEvent Perform efficiency tests #################
#########################Get-EventLog###########################‎
$LogName = "Security"
$StartDate = (get-date).AddDays(-1)
$hashquery = @{logname=$LogName; StartTime=$StartDate}
Write-Host -ForegroundColor Green " test Get-EventLog, Conventional filtering （ Conditions ：Eventid=4625、 near 1 God ）"
(Measure-Command -Expression {Get-EventLog -LogName $Logname -After $StartDate -InstanceId 4625}).TotalSeconds

#########################Get-WinEvent###########################‎
## Method 1:
Write-Host -ForegroundColor Green " test Get-WinEvent, Use where-object Filter ( Conditions ：Eventid=4625、 near 1 God )"
(Measure-Command -Expression {Get-WinEvent -LogName $LogName | Where-Object { $_.TimeCreated -ge $StartDate -and $_.ID -eq "4625" }}).TotalSeconds
## Method 2:
Write-Host -ForegroundColor Green " test Get-WinEvent, Use HashTable Filter ( Conditions ：Eventid=4625、 near 1 God )"
(Measure-Command -Expression {Get-WinEvent -FilterHashTable $hashquery}).TotalSeconds
## Method 3:
Write-Host -ForegroundColor Green " test Get-WinEvent, Use Xpath Filter ( Conditions ：Eventid=4625、 near 1 God )"
$StartDate = (Get-Date).AddDays(-1).ToString("yyyy-MM-dd'T'HH:mm:ss'Z'")
(Measure-Command -Expression {Get-WinEvent -LogName Security -FilterXpath "*[System[(EventID=4625) and TimeCreated[@SystemTime>='$StartDate']]]"}).TotalSeconds
## Method 4:
Write-Host -ForegroundColor Green " test Get-WinEvent, Use XML Filter ( Conditions ：Eventid=4625、 near 1 God )"
#Using the FilterXML parameter:
$XMLFilter = @'
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select>
  </Query>
</QueryList>
'@
[array] $Events = @()
(Measure-Command -Expression {$Events += Get-WinEvent -FilterXml $XMLfilter }).TotalSeconds
## Method 5:
Write-Host -ForegroundColor Green " test Get-WinEvent, Use XML Filter （ Conditions ：Eventid=4625、 near 1 God 、 Keyword approval failed ）"
#Using the FilterXML parameter:
$XMLFilter = @'
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[band(Keywords,4503599627370496) and (EventID=4625) and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select>
  </Query>
</QueryList>
'@
[array] $Events = @()
(Measure-Command -Expression {$Events += Get-WinEvent -FilterXml $XMLfilter }).TotalSeconds

The test results are shown in the following figure :

1. test Get-EventLog, Conventional filtering （ Conditions ： lately 1 Within days Eventid=4625 The event log ）, Time consuming ：4.53 second ;

2. test Get-WinEvent, Use where-object Filter （ Conditions ： lately 1 Within days Eventid=4625 The event log ）, Time consuming ：710.76 second ;

3. test Get-WinEvent, Use HashTable Filter （ Conditions ： lately 1 Within days Eventid=4625 The event log ）, Time consuming ：268.76 second ;

4. test Get-WinEvent, Use Xpath Filter （ Conditions ： lately 1 Within days Eventid=4625 The event log ）, Time consuming ：231.09 second ;

5. test Get-WinEvent, Use XML Filter （ Conditions ： lately 1 Within days Eventid=4625 The event log ）, Time consuming ：269.49 second ;

6. test Get-WinEvent, Use XML Filter （ Conditions ： lately 1 Keywords generated within days are “ Audit failed ” And Eventid=4625 The event log ）, Time consuming ：263.30 second .

The test results show that ：--- Be careful , The test environment is different , The results are inevitably slightly different .

1. On the local computer ,Get-EventLog It's more efficient than Get-WinEvent The execution efficiency of is very high , Very widely used ; 2. Get-WinEvent in XPath The filtration efficiency will be higher than XML and HashTable Efficient ; But in practice ,Xpath There are few cases and materials , Instead, HashTable More information , But fortunately, it can be passed Windows The graphical interface simply checks , Automatic generation XML and XPath Filter content , No need to write code manually .

Demonstrate how to simply tick , Automatic generation XML and XPath Filter content ：

Here's the picture , Switch to XML tab , You can see that in the red box is XML Sieve content ; The green underlined part is XPath Sieve content .

Be careful ,XPath The content needs to be adjusted TimeCreated The format of .

3、 ... and 、 Summary ：

Get-WinEvent： Powerful , But the application is a little complicated , It is more suitable for cross network batch log processing ;

Get-EvenLog: Simple and easy to use , But it can only manage traditional logs , It is more suitable for local log processing .

All in all , Each have advantages and disadvantages , Cross network priority Get-WinEvent, Local priority Get-EventLog, To view more detailed application and service logs , Can only choose Get-WinEvent.